From 119b7a2ca0ef2bf3f81897ae10301b8ca8cba844 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 21 Sep 2016 01:35:12 +0000 Subject: upstream commit test all the AuthorizedPrincipalsCommand % expansions Upstream-Regress-ID: 0a79a84dfaa59f958e46b474c3db780b454d30e3 --- regress/principals-command.sh | 38 +++++++++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 11 deletions(-) (limited to 'regress/principals-command.sh') diff --git a/regress/principals-command.sh b/regress/principals-command.sh index c0be7e747..19d7d6c96 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $ +# $OpenBSD: principals-command.sh,v 1.2 2016/09/21 01:35:12 djm Exp $ # Placed in the Public Domain. tid="authorized principals command" @@ -12,12 +12,36 @@ if test -z "$SUDO" ; then exit 0 fi +SERIAL=$$ + +# Create a CA key and a user certificate. +${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ + fatal "ssh-keygen of user_ca_key failed" +${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \ + fatal "ssh-keygen of cert_user_key failed" +${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ + -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ + fatal "couldn't sign cert_user_key" + +CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` +CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'` +CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` +CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` + # Establish a AuthorizedPrincipalsCommand in /var/run where it will have # acceptable directory permissions. PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" #!/bin/sh test "x\$1" != "x${LOGNAME}" && exit 1 +test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1 +test "x\$3" != "xssh-ed25519" && exit 1 +test "x\$4" != "xJoanne User" && exit 1 +test "x\$5" != "x${SERIAL}" && exit 1 +test "x\$6" != "x${CA_FP}" && exit 1 +test "x\$7" != "x${CERT_FP}" && exit 1 +test "x\$8" != "x${CERT_BODY}" && exit 1 +test "x\$9" != "x${CA_BODY}" && exit 1 test -f "$OBJ/authorized_principals_${LOGNAME}" && exec cat "$OBJ/authorized_principals_${LOGNAME}" _EOF @@ -31,15 +55,6 @@ if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then exit 0 fi -# Create a CA key and a user certificate. -${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ - fatal "ssh-keygen of user_ca_key failed" -${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \ - fatal "ssh-keygen of cert_user_key failed" -${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ - -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ - fatal "couldn't sign cert_user_key" - if [ -x $PRINCIPALS_CMD ]; then # Test explicitly-specified principals for privsep in yes no ; do @@ -51,7 +66,8 @@ if [ -x $PRINCIPALS_CMD ]; then cat $OBJ/sshd_proxy_bak echo "UsePrivilegeSeparation $privsep" echo "AuthorizedKeysFile none" - echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u" + echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ + "%u %t %T %i %s %F %f %k %K" echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" ) > $OBJ/sshd_proxy -- cgit v1.2.3 From ce44c970f913d2a047903dba8670554ac42fc479 Mon Sep 17 00:00:00 2001 From: "bluhm@openbsd.org" Date: Mon, 26 Sep 2016 21:34:38 +0000 Subject: upstream commit Allow to run ssh regression tests as root. If the user is already root, the test should not expect that SUDO is set. If ssh needs another user, use sudo or doas to switch from root if necessary. OK dtucker@ Upstream-Regress-ID: b464e55185ac4303529e3e6927db41683aaeace2 --- regress/agent-getpeereid.sh | 2 +- regress/keys-command.sh | 2 +- regress/principals-command.sh | 4 ++-- regress/sftp-chroot.sh | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) (limited to 'regress/principals-command.sh') diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index 24b71f458..91621a59c 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-getpeereid.sh,v 1.6 2016/05/03 14:41:04 djm Exp $ +# $OpenBSD: agent-getpeereid.sh,v 1.7 2016/09/26 21:34:38 bluhm Exp $ # Placed in the Public Domain. tid="disallow agent attach from other uid" diff --git a/regress/keys-command.sh b/regress/keys-command.sh index af68cf15c..9c9ada7c7 100644 --- a/regress/keys-command.sh +++ b/regress/keys-command.sh @@ -3,7 +3,7 @@ tid="authorized keys from command" -if test -z "$SUDO" ; then +if [ -z "$SUDO" -a ! -w /var/run ]; then echo "skipped (SUDO not set)" echo "need SUDO to create file in /var/run, test won't work without" exit 0 diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 19d7d6c96..680bd957f 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: principals-command.sh,v 1.2 2016/09/21 01:35:12 djm Exp $ +# $OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $ # Placed in the Public Domain. tid="authorized principals command" @@ -6,7 +6,7 @@ tid="authorized principals command" rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak -if test -z "$SUDO" ; then +if [ -z "$SUDO" -a ! -w /var/run ]; then echo "skipped (SUDO not set)" echo "need SUDO to create file in /var/run, test won't work without" exit 0 diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh index 9c26eb680..4ea2fce85 100644 --- a/regress/sftp-chroot.sh +++ b/regress/sftp-chroot.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sftp-chroot.sh,v 1.4 2014/01/20 00:00:30 dtucker Exp $ +# $OpenBSD: sftp-chroot.sh,v 1.5 2016/09/26 21:34:38 bluhm Exp $ # Placed in the Public Domain. tid="sftp in chroot" @@ -7,7 +7,7 @@ CHROOT=/var/run FILENAME=testdata_${USER} PRIVDATA=${CHROOT}/${FILENAME} -if [ -z "$SUDO" ]; then +if [ -z "$SUDO" -a ! -w /var/run ]; then echo "skipped: need SUDO to create file in /var/run, test won't work without" exit 0 fi -- cgit v1.2.3 From ca04de83f210959ad2ed870a30ba1732c3ae00e3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 13 Oct 2016 18:53:43 +1100 Subject: unbreak principals-command test Undo inconsistetly updated variable name. --- regress/principals-command.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'regress/principals-command.sh') diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 680bd957f..9b38eb105 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -30,8 +30,8 @@ CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` # Establish a AuthorizedPrincipalsCommand in /var/run where it will have # acceptable directory permissions. -PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" -cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" +PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" +cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" #!/bin/sh test "x\$1" != "x${LOGNAME}" && exit 1 test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1 @@ -46,16 +46,16 @@ test -f "$OBJ/authorized_principals_${LOGNAME}" && exec cat "$OBJ/authorized_principals_${LOGNAME}" _EOF test $? -eq 0 || fatal "couldn't prepare principals command" -$SUDO chmod 0755 "$PRINCIPALS_CMD" +$SUDO chmod 0755 "$PRINCIPALS_COMMAND" -if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then - echo "skipping: $PRINCIPALS_CMD is unsuitable as " \ +if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then + echo "skipping: $PRINCIPALS_COMMAND is unsuitable as " \ "AuthorizedPrincipalsCommand" - $SUDO rm -f $PRINCIPALS_CMD + $SUDO rm -f $PRINCIPALS_COMMAND exit 0 fi -if [ -x $PRINCIPALS_CMD ]; then +if [ -x $PRINCIPALS_COMMAND ]; then # Test explicitly-specified principals for privsep in yes no ; do _prefix="privsep $privsep" -- cgit v1.2.3